Addressing threats to health care's core values, especially those stemming from concentration and abuse of power. Advocating for accountability, integrity, transparency, honesty and ethics in leadership and governance of health care.

Monday, August 18, 2014

Don't worry, your information's safe. Community Health Systems says data stolen in cyber attack: just a mere 4.5 million people affected this time.

I have often written about my observations of the generally unimpressive qualifications and capabilities of IT personnel, up to and including the CIO's, in healthcare settings (e.g., baccalaureate-level education in a doctoral and post-doctoral setting, usually no clinical or biomedical experience, no computer science background, no medical informatics background, and sometimes not even a formal management information systems education) compared to other sectors such as pharma and academia. I've written about this as an impediment to health IT progress and to healthcare IT safety.

U.S. hospital operator Community Health Systems Inc said on Monday personal data, including patient names and addresses, of about 4.5 million people were stolen by hackers from its computer network, likely in April and June.

The company said the data, considered protected under the Health Insurance Portability and Accountability Act, included patient names, addresses, birth dates, telephone numbers and Social Security numbers. It did not include patient credit card or medical information, Community Health Systems said in a regulatory filing.

It said the security breach had affected about 4.5 million people who were referred for or received services from doctors affiliated with the hospital group in the last five years.

If you're a department store, or a McDonald's, such breaches might be more understandable. When you're a life-critical industry such as healthcare, and under HIPAA regulations regarding privacy and confidentiality, these incidents are increasingly unforgivable.

The FBI warned healthcare providers in April that their cybersecurity systems were lax compared to other sectors, making them vulnerable to hackers looking for details that could be used to access bank accounts or obtain prescriptions, Reuters previously reported.

Again, inexcusable. Health IT amateurs (and, of course, the Management Recruiting Firms that hospital retain to find them, who are equally clueless about what it takes to be a health IT expert) don't just endanger your health; they endanger your economic well being, even when you're not ill.

The company said it and its security contractor, FireEye Inc unit Mandiant, believed the attackers originated from China. They did not provide further information about why they believed this was the case. They said they used malware and other technology to copy and transfer this data and information from its system.

Just great.

Community Health, which is one of the largest hospital operators in the country with 206 hospitals in 29 states, said it was working with federal law enforcement authorities in connection with their investigation into the attack. It said federal authorities said these attacks are typically aimed at gathering intellectual property, such as medical device and equipment development data.

Oh. that's reassuring - our data's being stolen by honest thieves who would never, EVER think of selling the data to dishonest thieves who steal people's identities, and then money...

It said that prior to filing the regulatory document, it had eradicated the malware from its systems and finalized the implementation of remediation efforts. It is notifying patients and regulatory agencies as required by law, it said.

It also said it is insured against such losses and does not at this time expect a material adverse effect on financial results.

Oh, that's very nice. Millions of people potentially put at risk, but insurance will cover for incompetence.

Perhaps the insurers should more critically evaluate the quality of work of the people they're insuring.

Our Tenth Anniversary

The tenth anniversary of Health Care Renewal was December 10, 2014. During our anniversary year, please help Health Care Renewal continue to challenge concentration and abuse of power in health care. Donate to FIRM, the Foundation for Integrity and Responsibility in Medicine, a US 501(c)3 non-profit. All contributions are US tax deductible as provided by US law. Our address is 16 Cutler St, Suite 104, Warren, RI, 02885. Email info at firmfound dot org for questions or comments.

FIRM welcomes support from individuals and non-profit organizations. If you are interested in donating to FIRM, please email info at firmfound dot org, snail mail us at 16 Cutler St, Suite 104, Warren, RI, 02885, USA, or see our web-site

Note that FIRM is a 501(c)3 that researches problems with leadership and governance in health care that threaten core values, and disseminates our findings to physicians, health care researchers and policy-makers, and the public at large. FIRM advocates representative, transparent, accountable and ethical health care governance, and hopes to empower health care professionals and patients to promote better health care leadership.

Health Wonk Review

Policies: Blog Roll and Comments

Our blogroll is meant to include blogs that provide interesting content relevant to what we write. It is not an endorsement in any way of any specific blog.

We accept comments, especially from registered Blogger users. If you do not wish to register with Blogger, we will accept anonymous comments, although prefer that they contain identification of the commenter.

We encourage thoughtful comments relevant to the issues brought up by the posts on Health Care Renewal.

All comments are moderated. We will reject spam, profanity, advertising of products or services not directly related to the content of this blog.

We will reject any unsubstantiated accusations or allegations.

Nonetheless, all comments represent only the opinions of those making them. The appearance of comments does not imply endorsement by the Health Care Renewal bloggers.

Please email general comments about the blog, other concerns, or questions to info AT firmfound DOT org